alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Panda Banker CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!".php"; pcre:"/^\/[A-Za-z0-9]+(?:\/[A-F0-9]+){3,}$/"; http.user_agent; pcre:"/(?:MSIE|rv\x3a11)/"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.accept; content:"*/*"; depth:3; endswith; http.start; content:"P/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|"; fast_pattern; http.header_names; content:!"Content-Type"; content:!"Referer"; reference:md5,17bd012f145bba62b4e58b376d8002d3; classtype:command-and-control; sid:2022609; rev:6; metadata:created_at 2016_03_10, deprecation_reason Performance, performance_impact Significant, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_05_01;)